here is my sssd.conf
[domain/mydomain.com] filter_users=root,ubuntu,ec2-user,centos filter_groups=root,ubuntu,ec2-user,centos offline_timeout = 60 ignore_group_members = true cache_credentials = true krb5_store_password_if_offline = True ipa_hbac_refresh = 60 auth_provider = ipa access_provider = ipa chpass_provider = ipa sudo_provider = ipa dns_discovery_domain = mydomain.com ldap_tls_cacert = /etc/ipa/ca.crt ldap_sudo_use_host_filter = false ldap_sudo_refresh_enabled = true
ldap_sudo_full_refresh_interval=86400 ldap_sudo_smart_refresh_interval=200 ldap_sudo_search_base = ou=sudoers,dc=mydomain,dc=com?subtree?(|(sudoHost=ip-10-10-247-202-3456.ipa-dev)(sudoHost=+.svc_ipa-dev*)(sudoHost=ALL)) ldap_connection_expire_timeout = 87473 entry_cache_timeout = 172800 krb5_auth_timeout = 30 debug_level = 9 [sssd] reconnection_retries = 3 config_file_version = 2 services = nss, sudo, pam, ssh domains = mydomain.com debug_level = 9 [nss] homedir_substring = /home debug_level = 9 [pam] debug_level = 9 [sudo] debug_level = 9 [autofs] [ssh] debug_level = 9 [pac] [ifp] [secrets] [session_recording] [prompting/password] password_prompt = Password : [prompting/2fa] single_prompt = False first_prompt = First Factor: second_prompt = Second Factor:
When SSSD is online, ssh prompt for 2fa user asks like below. First Factor: Second Factor:
but if SSSD goes to offline, ssh prompt asks only password like password :
How can I configure to get multi prompt asking for 2fa user even in SSSD offline mode? Of course, otp validation will be ignored even though user inputs otp. I just want to keep multi prompt even in both SSSD online and SSSD offline. Is it possible to be configured ?
Am Mon, Oct 21, 2024 at 04:06:12AM -0000 schrieb seojeong kim via sssd-users:
here is my sssd.conf
[domain/mydomain.com] filter_users=root,ubuntu,ec2-user,centos filter_groups=root,ubuntu,ec2-user,centos offline_timeout = 60 ignore_group_members = true cache_credentials = true krb5_store_password_if_offline = True ipa_hbac_refresh = 60 auth_provider = ipa access_provider = ipa chpass_provider = ipa sudo_provider = ipa dns_discovery_domain = mydomain.com ldap_tls_cacert = /etc/ipa/ca.crt ldap_sudo_use_host_filter = false ldap_sudo_refresh_enabled = true
ldap_sudo_full_refresh_interval=86400 ldap_sudo_smart_refresh_interval=200 ldap_sudo_search_base = ou=sudoers,dc=mydomain,dc=com?subtree?(|(sudoHost=ip-10-10-247-202-3456.ipa-dev)(sudoHost=+.svc_ipa-dev*)(sudoHost=ALL)) ldap_connection_expire_timeout = 87473 entry_cache_timeout = 172800 krb5_auth_timeout = 30 debug_level = 9 [sssd] reconnection_retries = 3 config_file_version = 2 services = nss, sudo, pam, ssh domains = mydomain.com debug_level = 9 [nss] homedir_substring = /home debug_level = 9 [pam] debug_level = 9 [sudo] debug_level = 9 [autofs] [ssh] debug_level = 9 [pac] [ifp] [secrets] [session_recording] [prompting/password] password_prompt = Password : [prompting/2fa] single_prompt = False first_prompt = First Factor: second_prompt = Second Factor:
When SSSD is online, ssh prompt for 2fa user asks like below. First Factor: Second Factor:
but if SSSD goes to offline, ssh prompt asks only password like password :
How can I configure to get multi prompt asking for 2fa user even in SSSD offline mode? Of course, otp validation will be ignored even though user inputs otp. I just want to keep multi prompt even in both SSSD online and SSSD offline. Is it possible to be configured ?
Hi,
this is currently not possible. The prompting is selected based on the available authentication methods. While offline only authentication with the long term password is available and hence SSSD is only using the password prompt.
HTH
bye, Sumit
-- _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o... Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
sssd-users@lists.fedorahosted.org